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CLAIMS 

What is claimed is: 

1 . A nemvork system that resists denial of service attacks on an access link to a destination 
host belonging to a virtual private network (VPN), said network system comprising: 

one or more egress boundary routers having connections to an access network including 
the access linkA wherein said one or more egress boundary routers transmit intra- VPN traffic 
from sources within the VPN and extra- VPN traffic from sources outside the VPN within 
separate access network logical connections for intra- VPN and extra- VPN traffic; and 

a pluralityW ingress boundary routers coupled to the one or more egress boundary 
routers for communication utilizing a network-based VPN protocol that logically partitions intra- 
VPN and extra- VPN traffic, such that denial of service attacks on said access link originating 
from sources outsideuhe VPN can be prevented. 

2. The network system of Claim 1, and further comprising a Differentiated Services 
network coupling at least one of the plurality of ingress boundary routers and at least one of the 
one or more egress boundary routers. 

3 . The network system of Claim 1 , and further comprising a plurality of customer premises 
equipment (CPE) edge routers each coupled to a respective one of said plurality of ingress 
boundary routers. \ 

4. The network system of Claim 1, and further comprising the access network. 
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5. The network system of Claim 4, and further comprising a customer premises equipment 
(CPE) edge router to the access link. 

6. The network systefri of Claim 5, said CPE edge router having a physical port coupled to 
said access link, said physical port implementing a first logical port for intra- VPN traffic and a 
second logical port for extraYVPN traffic. 

7. The network system of Claim 1 , wherein at least one of said plurality of ingress boundary 
routers implements a plurality oAtunnels that logically partition intra- VPN and extra- VPN 
traffic. \ 



8. The network system of Claim L wherein said one or more egress boundary routers 
provide a plurality of different qualities of services to said intra- VPN traffic. 
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9. A network system, comprising: 

an access network having an access link to a destination host belonging to a virtual 
private network (VPN1 wherein said access network supports a first logical connection for intra- 
VPN traffic from sources within the VPN and a second logical connection for extra- VPN traffic 
from sources outside the VPN; 

one or more egress boundary routers having connections to the access network, wherein 
said one or more egress aoundary routers transmit intra- VPN traffic toward the destination host 
via the first logical connection and transmit extra- VPN traffic toward the destination host via the 
second logical connection* and 

a plurality of ingress boundary routers coupled to the one or more egress boundary 
routers for communication Utilizing a network-based VPN protocol that logically partitions intra- 
VPN and extra- VPN traffic, such that denial of service attacks on said access link originating 

I r " 

from sources outside the VPN can b e prevented ^. 



10. The network system! of Claim 9, and further comprising a Differentiated Services 
network coupling at least one! of the plurality of ingress boundary routers and at least one of the 
one or more egress boundary routers. 



1 1 . The network system o: 
equipment (CPE) edge routers 
boundary routers. 



1 2 . The network system o 
(CPE) edge router to the access 



Claim 9, and further comprising a plurality of customer premises 
each coupled to a respective one of said plurality of ingress 



Claim 9, and further comprising a customer premises equipment 
link. 
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13. The network sVstem of Claim 12, said CPE edge router having a physical port coupled 
to said access link, saidvphysical port implementing a first logical port for intra- VPN traffic and 
a second logical port fon extra- VPN traffic. 

1 4. The network system of Claim 9, wherein at least one of said plurality of ingress boundary 
routers implements a plurality of tunnels that logically partition intra- VPN and extra- VPN 
traffic. \ 

15. The network system of Claim 9, wherein said one or more egress boundary routers 
provide a plurality of different qualities of services to said intra- VPN traffic. 
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16. A method of protecting an access link to a destination host belonging to a virtual private 
network (VPN) against denial of service attacks, said method comprising: 

in an access networw including the access link, providing a first logical connection for 
intra- VPN traffic from souijbes within the VPN and a second logical connection for extra- VPN 
traffic from sources outsidp the VPN; 

communicating, from a plurality of ingress boundary routers to one or more egress 
boundary routers, intra- VPN and extra- VPN traffic destined for said destination host, wherein 
said intra- VPN traffic and said extra- VPN traffic are transmitted utilizing a network-based VPN 
protocol that logically partitions intra- VPN and extra- VPN traffic; 

transmitting intra- VPN traffic from said one or more egress boundary routers toward the 
destination host via the/ first logical connection, and transmitting extra- VPN traffic from said one 
or more egress boundary routers toward the destination host via the second logical connection, 
such that denial of sei/vdce attacks on said access link originating from sources outside the VPN 
can be prevented. 



17. The method of Claim 16, wherein said communicating comprises communicating 
utilizing a Differentiated Services protocol. 
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1 8. The method of Claim 1 6, wherein a customer premises equipment (CPE) edge router is 
coupled between said access network and said destination host, said method further comprising: 

at a physical port of the CPE edge router coupled to the access link, providing first and 
second logical/ports; and 

receiving intra- VPN traffic at the first logical port, and receiving extra- VPN traffic at the 
second logical port. 
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19. The method of Claim 16, and further comprising logically partitioning intra- VPN and 
extra- VPN traffic by at lefest one of said plurality of ingress boundary routers utilizing a plurality 
of tunnels. \ 



20. The method of ClaiV 
routers providing a plurality 



16, and further comprising said one or more egress boundary 
•f different qualities of services to said intra- VPN traffic. 



